• State Verified Answer
  • Replies 10 replies
  • Subscribers 74 subscribers
  • Views 1505 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 323160
Options

Directed advertising to Android phone without bonding

droberson

Hello,

Here is my setup:

  • Hardware
    • nRF52840 development kit - Qty: 2
      • One in Central Role
      • One in Peripheral Role
    • Android Phone (Google Pixel 4a)
  • Software
    • SDK 15.2 (Using old SDK because I am making changes to an old project)
    • SoftDevice: s140_nrf52_6.1.0

I have a few questions that I think I know the answer to, but can't find a definitive answer online. The questions are listed at the bottom of this post. To preface, I have read many posts on the Nordic devzone regarding this very topic. At present, my existing project performs directed advertising using an address type of BLE_GAP_ADDR_TYPE_RANDOM_STATIC. This works without issue between two nRF52840 development kits. The Central can connect to the Peripheral with this configuration, and I can see the directed advertisements in Wireshark with a Nordic devkit as a BLE sniffer. The directed advertisement packets list the "Target Address" as the static address of the Central. This is expected.

Now, I am trying to use an Android phone as the Central while the Peripheral directly advertises to it without having to bond.  The reason I don't want to bond is because our project does not currently use the peer manager. Integrating the peer manager into an existing project that is already in the field is not a trivial task and poses significant risk of breaking the current design and introducing bugs. Our device uses directed advertising to the Central so "average" users can't see the advertising packets on their phones, tablets, etc. I realize directed advertising provides no security and an attacker can see the directed advertisements and spoof the Central's BLE address. It's more of a way to filter out the advertising traffic since multiples of these devices can be in close proximity. 

Here is what I understand about direct advertising to an Android (and iPhone):

  • Android uses a BLE MAC type of BLE_GAP_ADDR_TYPE_RANDOM_PRIVATE_RESOLVABLE
    • This is a security feature to prevent location tracking
    • This results in the phone changing is BLE MAC at a defined interval (Usually every 15 minutes but can vary)
  • The Identity Resolving Key (IRK) allows the Peripheral to resolve the identity of the Android phone, which is shared during the standard BLE bonding process.

To achieve directed advertising to an Android phone without bonding, my plan was to do the following:

  1. Obtain the IRK from the Android phone manually.
    1. I have already done this using a nRF52840 development kit.
    2. As far as I know, the IRK stays the same for the life of the phone. Please correct me if I am wrong.
  2. Inject the phone IRK into the Peripheral and use this to advertise to the Android phone.
    1. Using a similar process as seen in this post:  Directed advertising with pre-shared IRK  and "Variant #1" in this bounce diagram: https://infocenter.nordicsemi.com/index.jsp?topic=%2Fcom.nordic.infocenter.s132.api.v3.0.0%2Fgroup___b_l_e___g_a_p___p_r_i_v_a_c_y___a_d_v___d_i_r___p_r_i_v___m_s_c.html&cp=2_3_0_1_1_2_1_3_9_1 

Questions:

  1. Is it possible for a nRF52840 to directly advertise (and connect) to an Android phone with a pre-shared IRK without bonding to it as proposed above?
  2. How does the Peripheral know what BLE MAC to insert into the direct advertising packet if the Android phone changes its MAC every 15 minutes?

Thanks,

Derek

  • 0
    Is it possible for a nRF52840 to directly advertise (and connect) to an Android phone with a pre-shared IRK without bonding to it as proposed above?

    Yes, This is how many customers/products have done it aswell. but that was on the older SDK, I need to dig a bit to find how to do this in nRF connect SDK.

    How does the Peripheral know what BLE MAC to insert into the direct advertising packet if the Android phone changes its MAC every 15 minutes?

    Again using whitelisting on IRK seems to be the solution here, as IRK wont change over time.

    As far as I know, the IRK stays the same for the life of the phone. Please correct me if I am wrong.

    You are right.

  • 0 in reply to Susheel Nuguru

    Hey Susheel,

    Thanks for the reply.

    Susheel Nuguru said:
    Yes, This is how many customers/products have done it aswell. but that was on the older SDK, I need to dig a bit to find how to do this in nRF connect SDK.

    I am not using nRF Connect SDK. Per the Software section at the beginning of my post, I am using SDK15.2.

    Susheel Nuguru said:
    Again using whitelisting on IRK seems to be the solution here, as IRK wont change over time.

    You cannot perform whitelisting and directed advertising at the same time, so how does whitelisting apply to question #2?

    Source:  Whitelisting and Directed Advertising Simultaneously  

    Thanks,

    Derek

  • 0 in reply to droberson

    Derek,

    Sorry for delays, I was stuck in something else and did not manage to unplug from it. Thanks for being nice and patient. Really appreciate it. 

    droberson said:
    You cannot perform whitelisting and directed advertising at the same time, so how does whitelisting apply to question #2?

    Yes, sorry, Whitelisting cannot be used with directed advertising as it is assumed that you already know which device you want to communicate with.

    If you know that you want to connect to some Android phone, then you need to first connect and pair with it atleast once so that the Android phone can share its IRK with your device. Once you get it and save it, you can use it to check that the new device address used by Android phone is generated by the same IRK or not. You only send directed advertising to devices that pass this translation.

  • 0 in reply to Susheel Nuguru

    Susheel,

    No worries, thanks for the reply. I already have the IRK from the phone I am trying to directly advertise to.

    Susheel Nuguru said:
    Once you get it and save it, you can use it to check that the new device address used by Android phone is generated by the same IRK or not. You only send directed advertising to devices that pass this translation.

    I am not sure what you mean by this. "You can use it to check that the new device address" sounds like the Peripheral needs to listen to scan requests from all Centrals. In order to do this, the Peripheral would need to advertise to all Centrals, which defeats the purpose of what I want to achieve (direct advertising).

    To summarize and clarify my original post, I want to directly advertise to an Android phone 100% of the time unless connected to the phone. Is this possible so long as the Peripheral device knows the Android phone's IRK?

    To me, this doesn't seem possible because the Android phone rotates it's MAC every 15 minutes or so, hence why I am looking for a definitive answer.

    Thanks,

    Derek

Related
Terms of service